Description:
CakePHP is a RAD (Rapid Application Framework) framework for PHP which uses commonly
known design patterns like ActiveRecord, Association Data Mapping, Front Controller
and MVC. Unfortunately CakePHP is vulnerable to an arbitrary file access vulnerability
due to unsafe use of the readfile function that allows for an attacker to read any file
on the system that the webserver has read access to. This could be used to read password
files or sensitive configuration data etc. An updated version of CakePHP has been released
and users encouraged to upgrade their CakePHP installations as soon as possible.

Arbitrary File Access
CakePHP allows for developers to create dynamic content in a way similar to Ruby On Rails. One
of the files that allows for front end access to javascript for visitors is vulnerable to an
arbitrary file access vulnerability that allows an attacker to read any file on the system that
the webserver has read access to. Below is the vulnerable code from vendors.php